Skip to content

nut: enable SSL via NSS by default#29893

Draft
danielfdickinson wants to merge 16 commits into
openwrt:masterfrom
danielfdickinson:pr-nut-enable-nss-for-ssl-by-default
Draft

nut: enable SSL via NSS by default#29893
danielfdickinson wants to merge 16 commits into
openwrt:masterfrom
danielfdickinson:pr-nut-enable-nss-for-ssl-by-default

Conversation

@danielfdickinson

@danielfdickinson danielfdickinson commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

📦 Package Details

Maintainer: @danielfdickinson

Description:

Enable libnss (Mozilla NSS) for SSL, and make it the default.

  • Check if NSS causes problems for non-SSL setups. If so, add a nossl variant.
    * A nossl variant is not required. That is, with no certificate configured NSS-enabled version accepts the old default (no SSL) version's connections and vice-versa. Behaviour with certificates configured depends on whether SSL required is configured.
  • Verify NSS as currently packaged for OpenWrt has all necessary capabilities for NUT.
  • Ensure NUT build and configuration can completely support SSL with NSS
    • Add missing configuration options to nut-server-config.sh
    • Add missing configuration options to nut-monitor-config.sh
    • Update CONFIGURE_ARGS to support certificate verification
    • Allow to opt-out of build with cert verification for custom builds
    • Re-test with these changes

🧪 Run Testing Details

  • OpenWrt Version: OpenWrt SNAPSHOT r35062-a1ab701efa
  • OpenWrt Target/Subtarget: 27xx/2709
  • OpenWrt Device: Raspberry Pi 2 Model B Rev 1.1
  • UPS: Tripp-Lite ECO550UPS

✅ Formalities

  • I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch from f6f5b0f to bfb8e11 Compare July 2, 2026 06:35
@BKPepe BKPepe requested a review from Copilot July 2, 2026 10:12

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Enable NSS (libnss / Mozilla NSS) as an SSL backend for NUT on OpenWrt, making NSS the default SSL provider.

Changes:

  • Add CONFIG_NUT_SSL_NSS build option and default it to enabled.
  • Add libnss as a conditional dependency and wire NSS/OpenSSL selection into CONFIGURE_ARGS.
  • Minor whitespace/indent cleanup in Makefile and Config.in.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
net/nut/Makefile Adds NSS config/deps and updates ./configure flags to select NSS/OpenSSL SSL backends.
net/nut/Config.in Introduces a new NUT_SSL_NSS Kconfig option (default y) and adjusts OpenSSL option dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread net/nut/Makefile Outdated
Comment thread net/nut/Config.in Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Comment thread net/nut/Config.in Outdated
@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch from 240f8a6 to b9bacf5 Compare July 4, 2026 15:19
@danielfdickinson danielfdickinson marked this pull request as draft July 4, 2026 22:32
@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch from b9bacf5 to c95a44d Compare July 4, 2026 23:15

@openwrt-ai openwrt-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 8 new commits; no new issues found.


Generated by Claude Code

@danielfdickinson

Copy link
Copy Markdown
Contributor Author

@BKPepe I wonder if drafts could/should be excluded from LLM review and/or run testing until taken off draft? Or at least get a much lower priority. At least for me a draft is in (usually in vain) hopes of other eyeballs / comments / suggestions on a PR, but isn't necessarily ready for hard-core review.

The previous configuration did not make clear the
need for productid and vendorid options.

See openwrt#29607 (comment)

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
We should fallback to the default if one is not specified. In addition
find_statepath is the wrong place to check for its existence - it should
be created by the initscript if it does not exist.

See openwrt#29607 (comment)

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
While driverpath is could in theory be configurable, this was not implemented
in the OpenWrt NUT package, and there is not need for it. Therefore remove the
sample configuration for it, and setting that configuration in the upsd.conf file.

See openwrt#29607 (comment)

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The trigger script and instance to reload should depend on which
initscript is calling interface_triggers. It wasn't, so we fix that.

See openwrt#29607 (comment)

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The defaults were triggiering on any activity on the network, which
caused excessive restarts. So default to no interface trigger, with
'all' (or specific interfaces) as an option.

See openwrt#29607 (comment)

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Script executables have changed, therefore bump PKG_RELEASE

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
* Fixes a missing word in a comment
* Fixes inconsistent indentation in sample configurations
* Drops redundant default assignment in find_statepath()

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
We claimed we only supported a single upsd section named 'upsd' and a
single uspmon section named 'upsmon', but when determining RUNAS
and STATEPATH we were using overly-complex functions as we were
attempting to support multiple upsd and upsmon sections.

Simplify the logic by adhering to our stated support.

While were are at it we make RUNAS handling more consistent between
nut-server (upsd) and nut-monitor (upsmon).

We no longer try to limp along if RUNAS is not set by find_runas; to do
this properly would require over-complicated logic when setting file
and directory permissions and ownership.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Factor out some common validation code into some validator functions,
and add more UCI config validation.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Using add_interface_triggers and check_interface_up is a
better separation of concerns and the code has little in
common (no duplication of code concerns).

While we are at it make both nut-monitor and nut-server failure of
add_interface_triggers non-fatal with a logged error message.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Enable libnss (Mozilla NSS) for SSL, and make it the default.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch from c95a44d to bf8bf3b Compare July 11, 2026 14:54
@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch 2 times, most recently from c02f99a to c6e9a12 Compare July 11, 2026 15:27

@openwrt-ai openwrt-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the NUT commits added since the last review (SSL/NSS options, cert verification, the shared NSS database setup, the RUNAS/STATEPATH and interface-trigger refactors, and the Makefile whitespace reformat). Commit messages match their changes. Two functional bugs in the new nut-{server,upsmon}.default uci-defaults scripts are noted inline, plus a couple of nits.


Generated by Claude Code

Comment thread net/nut/files/nut-server.default Outdated
Comment thread net/nut/files/nut-upsmon.default Outdated
Comment thread net/nut/files/nut-server.default Outdated
Comment thread net/nut/files/nut-upsmon.default Outdated
Comment thread net/nut/Makefile Outdated
Comment thread net/nut/files/nut-server-config.sh.functions Outdated
Expose the configuration knobs as UCI config for more SSL options.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Enable CERTVERIFY, CERTREQUEST, and related options for requiring
verified certificates from peers.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The new CI reminds on non-standard indentation, so adjust Makefile
to quiet the CI.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Create a group to allow sharing directories files between upsd and
upsmon, and create a shared NSS certificate/key database on postinst
of upsd or upsmon (providing the database dir does not already exist).

Also enables preserving the shared database across sysupgrades.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Update deprecated configure option for NUT build.

Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
@danielfdickinson danielfdickinson force-pushed the pr-nut-enable-nss-for-ssl-by-default branch from c6e9a12 to c6fa3ec Compare July 12, 2026 07:31

@openwrt-ai openwrt-ai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the changes since the last review (branch was rebased). The new diff addresses the prior feedback: group_existgroup_exists, the broken if "$(command -v certutil)"if command -v certutil >/dev/null 2>&1, disable_weak_ssl now read via config_get_bool with an unconditional DISABLE_WEAK_SSL write, and the Makefile postinst shebang de-indented to column 0. All correct; no new issues found.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants